Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5402
Views
0
Helpful
5
Comments

How to configure access-list for PC in DMZ to authenticate to AD

1peter1xx
Level 1
Level 1

‎10-09-2009 01:26 AM - edited ‎03-08-2019 06:30 PM

Hi,

I have a Windows PC in our DMZ that I need to athenticate to our Active Directory. I have seen several lists of different ports that I need to allow through, but they all refer to replication etc. which I don't need: I just want to authenticate! I hope the list just to allow authentication is shorter than any of the lists I've come across so far. If you have a short list of ports, or even a long list if that's really what I need, please let me have it.

Regards,

Peter

Labels:
0 Helpful
Comments
jcollins13
Level 1
Level 1
‎10-09-2009 10:06 PM

Peter,

This will depend on your configuration but from what I remember the process is broken out into two sections. Name Resolution and Authentication.

So are you using DNS or WINS (DNS hopefully )?

If you are using WINS you should have to open 137-139.

If you are using DNS you should be able to get away with 53 and 445.

Can anyone else confirm or correct this?

Eli Barb
Level 1
Level 1
‎10-12-2009 01:59 PM

I've seen the following included in some ACLs that segment machines in a DMZ from your AD. Sometimes they'll also want to be able to ping the AD servers so you may need ICMP echo opened up as well.

TCP/UDP LDAP - 389

TCP/UDP KERBEROS - 88

TCP RPC - 135

TCP SMB - 445

TCP LDAP GC - 3268

UDP DNS - 53

ljbrock27
Community Member
‎10-16-2009 05:40 AM

The list posted by Eli is what I use, Add TCP 1025 & 1026 -- you should be good to go.

Also one option is to deny everything and attempt a login from the PC and watch the ASDM debugging screen and start opening up the ports on our lists until you get what you are looking for.

1peter1xx
Level 1
Level 1
‎10-19-2009 03:37 AM

Thanks guys.

Sorry for the delay in replying, but I've been out of the office and these pages are impossible to read/navigate on my PDA!

So, yes John, we are using DNS.

Eli: your list is about as long as others I've seen, but I was hoping for a shorter list .

Leon: I've not used ASDM, and having done a quick search for it, found a demo version, so I'm guessing I'd have to buy it. As we have just 2 PIXs, that feels like over-kill and my boss is really tight!

Anyway, I'll give it a go and report back...

jcollins13
Level 1
Level 1
‎10-19-2009 12:19 PM

Peter,

Give it a shot with just DNS (UDP & TCP) and 445 (TCP). I think you should be able to get away with just those in your situation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents